ASK THE EXPERT - PIX/ASA AND FWSM PLATFORMS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the PIX, Adaptive Security Appliances and Firewall Service Module product lines with Magnus Mortensen. Magnus is a Technical Assistance Center (TAC) engineer supporting Cisco's firewall security products in Research Triangle Park, North Carolina. He also takes part in the monthly TAC Security Podcast, which covers a wide range of network security related topics as well as troubleshooting and configuration tips and tricks from a TAC engineer's point of view. His specialties include the Cisco ASA Adaptive Security Appliance, Cisco Firewall Services Module, and Cisco IOS Software firewall technologies. He is currently studying for his CCIE Security Lab.

Remember to use the rating system to let Magnus know if you have received an adequate response.

Magnus might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 8, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

I wish I had good new for you, but unfortunately a NAT router/firewall in front of a Phone Proxy ASA is not supported. Phone Proxy requires publicly routable addresses for both signaling and media termination as a result implementation you are trying to setup will most likely not work. Many customers implement a standalone phone proxy ASA in parallel to the existing firewall in the network. The ASA would have interfaces on the outside Internet segment as well as on the inside subnet. Would you be able to place the Phone Proxy ASA in such a fashion? If you go down that path, then all you need to do to make sure routing isn't a problem is to use ASA version 8.2 or later and run per interface MTA along with some NAT tricks in order to make sure that traffic destined for the proxied phones goes through the proxy asa and not through the other firewall.

For Episode 14, we changed how/where we are doing the recordings, so it is taking us a little bit of time to re-tool/edit and release this latest podcast. We hope to have it up and running soon. Thanks for listening!

I am working on project that involves CAT6K with ACE and FWSM modules (one ACE and two FWSM modules per physical chassis). I want to run FWSM in routed mode but according to docs FWSM in VSS does not support RHI.

I was wondering if RHI will be supported in this setup anytime soon?

One "workaround" is to put ACE before FWSM so in that case FWSM lack of RHI support does not present a problem.

We see this question come up from time to time. There are some documents out there that incorrectly state that VSS and RHI do not work together. From FWSM version 4.0.4 onwards, RHI is supported in VSS.You can get more information about supported chassis code for VSS and RHI here:

Most of the bugs that manifest as RHI routes not being removed after failover should be fixed in the 4.1.x versions. It may be worth opening a case so we can ID a bug (worst case, file one) so we can improve the feature.

I'm not sure what that could be causing off the top of my head. One thing that may be worth looking into is the Java Console in ASDM. You can access the console from the Tools menu in ASDM. Based on the fact that it takes about a minute, I think that some other operation may be timing out or erroring out. Do you see anything stand out in the Java Console?

I have seen issues with Polycom and the PIX that manifest as dropped packets as a result of some IP options. If you enable Debug Level Syslogs, do you see and logs related to the endpoints in question? Any logs indicating dropped packets and the like? In some cases, as a result of protocol incompatibility, we need to disable the fixups and simply permit the traffic with ACLs. That may be worth testing, but with the old 6.x code, you can only enable/disable the fixup globally, you have no granular control. With that in mind, a move to 7.2.5 may be of some value so you can get the better/advanced inspections, but also the ability to use MPF to selectively disable certain fixups (inspections) for certain flows.

"To allow management access to an interface other than the one from which you entered the adaptive security appliance when using VPN, use the management-access command in global configuration mode."

If you are not coming over a VPN tunnel that terminates on the ASA, then the only way to access that ASA from locations behind the NicTrans_outside interface, would be to connect to the NicTrans_outside IP address and not that of the management interface.

We have deployed MPLS, and have several L3VPN, we are using a routed context from a single FWSM in Catalyst 6500 with static route to communicate between global routing table and vrf routing table. With more and more L3VPN added, we want to add redundancy/failover to our design.

I am thinking of using a pair of FWSM in separate catalyst 6500 chasis with firewall failover and HSRP for outside vlan and inside vlan,outside vlan connecting to global RT, inside vlan connecting to vrf RT.

basically global table will have static route of vrf address space pointing to active outside IP of the FWSM context,

FWSM context outside vlan will have staitc route of default pointing to HSRP active in the global RT.

FWSM context inside vlan will have static route of vrf address space pointing to HSRP active in the vrf RT,

then in the vfr RT, default static to FWSM context inside active.

Is this kind of setup supported? what's your recommendation to add redudancy/failover?

If my interpretation of your network design is right, this should be just fine. This is the basic concept of inter chassis failover. With this design if the Primary FWSM in Chassis A fails, the Secondary FWSM in Chassis B will take over. When the FWSMs fail over the active HSRP interface do not failover. So when we are running through the Secondary FWSM, the traffic will flow through the Chassis A VRF, over the trunk on the INSIDE VLAN to the Secondary (now Active) FWSM in Chassis B, through the FWSM and then back over the trunk on the OUTSIDE VLAN to Chassis A to be routed by the Global Routing table. This design will provide redundancy for the FWSMs.

I had to dig around a bit to double check but from what I can see this was integrated into ASA code version 8.2.1 so moving to 8.2.3 would make sense and also provide the most bug fixes in the 8.2.x code train. Unfortunately I do not see any plans to add h323 v6 support to the FWSM platform at this time. The FWSM, if v6 traffic passes through, will have the version downgraded to version 4 and extra fields removed.

I know that we can implement ASA failover A/A or A/S, and that we can implement redundant interfaces. I know that each equipament has a value to MTBF. What I like do know is how better is A/S implemented with redundant interface compared with A/S without redundant interface (may be in percentage).

I do not think I have seen any MTBF numbers for interface failures, but we (TAC) rarely see cases come in where an interface has failed. Usually the failures are chassis level failures (wont boot/power up/etc). As a result I can only assume that the interfaces have a higher MTBF so with/without redundant interface wouldn't make a difference. THe redundant interface setup could help protect you from failurs of the attached switches, but it won't get you much on the ASA itself.

You can export the Access-list rule configuration page of ASDM. In ASDM go to 'COnfiguration' -> 'Firewall' -> 'Access Rules' and click on the EXPORT button in the bar above the rule table. Options include HTML or CSV. I just tested this on my ASA 8.3.x/ASDM 6.3.x and ASA 8.2.x/ASDM 6.2.x setups and it seems to export a CSV file just fine.

We have 2 pairs of ASAs (5520), each pair is in Active/Active mode, I noticed that the failover IP gets the same Automatic MAC address (
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
1200.0200.0400) on both pairs. Is this normal behavior? If this gives me MAC flapping when connecting the mentioned ports to same management zone, is the solution is to assign manual MAC addresses?

It sounds like you may want to look into use the 'mac-address auto prefix' command. This commane was first put into ASA code in version 8.0.5 and the goal is make the mac-address auto generated more unique so you could have multiple ASAs without MAC conflict. More information about this command can be found here:

My office have one Cisco ASA 5510. I've notice in firewall dashboard tab, there is scanning attack and syn attack. Its always have numbers of attack there.. average 4 attacks.Is there any possibility to know who doing attack and how to stop them?

And beside that, the TOP 10 Protected Server Under Syn Attack is showing as below

Depending on the FWSM version and configuration there are different ways to control the AAA when sessioning down from the chassis...

- If you are in single mode, you can control the sessioning to the module with 'aaa authentication telnet console xxx' line

- If you are in multiple mode running code 3.2 or later, you can control the authentication used for sessions by using the 'aaa authentication telnet console xxx' in the *admin* context.

- If you are in multiple mode running code earlier than 3.2, you may be a bit out of luck.

If you are in multiple mode and running 3.2 or later, do not use the 'enable' command after logging in, instead use the 'login' command. That will allow you to keep the authenticated username as you transition between contexts.